efc09376702b809856b2053a80de97ef03a388bd96bb125b246bae31aa7a90af

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
Size

1.4MB
MD5

ead2b149fb67b84f592edbe2f2223d70
SHA1

fafcc7c943e2fc0031b635c869a9f1a6638efacd
SHA256

efc09376702b809856b2053a80de97ef03a388bd96bb125b246bae31aa7a90af
SHA512

da141094b93f4bec79a8390cc233445d63e2203ac45595d7773ac99028231f8d6dcc8a5a07af4fac3926fee4f4a174eaaee081561c60dcc21420862bf6d55f11
SSDEEP

24576:nxss/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVh:v/4Qf4pxPctqG8IllnxvdsxZ4Uh

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jishu_260046\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_260046\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_260046\FlashIcon.ico	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_260046\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_260046\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft260046\CoralExplorer_200404.exe	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CoralExplorer	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_260046\ImgCache\www.2144.net_favicon.ico	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft260046\a	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_260046\dailytips.ini	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_260046\newnew.exe	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft260046\B_4620114606464618004626464646.txt	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft260046\4620114606464618004626464646.txt	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft260046\down_7383.exe	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_260046\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_260046\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\jishu_260046\jishu_260046.ini	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft260046\w02.exe	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_260046\sc\GoogleËÑË÷.url	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_260046\4620114606464618004626464646_ini.txt	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432891727"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30bc4029630adb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5309D101-7656-11EF-B462-D60C98DC526F} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000004ee0b2be97137420eed59a86ef805c549609ab8a9d66d03543b2d11ceec0d300000000000e8000000002000020000000dd93c64c040a02ebf2ea12534c4116131b3b2f958c1209510df881e640625eb320000000e45fcc7cb8aa6876f54938d9422c7c1ec96ef36bf1d68e9cb37f781a6209546b40000000a4281f1fc9a84a7a1cb7ba75b267288594cb7ddab1d535ecdfab7ebc98a51a319a243543c969bb0c81e0ec55d17cdf76d793f4637d9475e0145de3f854ebb161	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000020bc5787db82227c84c2a1d6e91d788507b0bff78c2a47d1070f7b4349b07350000000000e8000000002000020000000ed90abc5ee88371c7ea08ccbe3a9b2b709e30c07b6a43704f88637f22f78ee1490000000a339aa597d431cc1b002892df7fec0125a522dbb82d74d2edf3efe1ebbdd7008a899afeac84305639e5731cd3b0ca2ded17404afb7cb16fbf3c334356f771ffe5903384e988132ba616fcc2e8d185d35472fddf0dd6720219dfc91362829473c6da9381eafcacab6146fdb3b71f24a639e15b714e0310f45431fe6b53c3e995bad48703e1601ada5bbd389161b002b5e40000000241ab10df64d300a79feab8e12cdf34e2ea18a9e4e14a8c9d0ca1764572e524593eba97c6ab17c9c21bab5368c30c508d4ab57a700c6b9714927402e544ebab3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5309A9F1-7656-11EF-B462-D60C98DC526F} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2556	IEXPLORE.EXE
1928	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
1928	IEXPLORE.EXE
1928	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2512	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2512	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2512	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2512	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2512	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2512	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2512	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2496	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2496	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2496	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2496	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2496	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2496	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	31
PID 1956 wrote to memory of 2496	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	31
PID 2512 wrote to memory of 2556	2512	IEXPLORE.EXE	32
PID 2512 wrote to memory of 2556	2512	IEXPLORE.EXE	32
PID 2512 wrote to memory of 2556	2512	IEXPLORE.EXE	32
PID 2512 wrote to memory of 2556	2512	IEXPLORE.EXE	32
PID 2496 wrote to memory of 1928	2496	IEXPLORE.EXE	33
PID 2496 wrote to memory of 1928	2496	IEXPLORE.EXE	33
PID 2496 wrote to memory of 1928	2496	IEXPLORE.EXE	33
PID 2496 wrote to memory of 1928	2496	IEXPLORE.EXE	33
PID 1956 wrote to memory of 2932	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	34
PID 1956 wrote to memory of 2932	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	34
PID 1956 wrote to memory of 2932	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	34
PID 1956 wrote to memory of 2932	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	34
PID 1956 wrote to memory of 2932	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	34
PID 1956 wrote to memory of 2932	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	34
PID 1956 wrote to memory of 2932	1956	ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2752	2556	IEXPLORE.EXE	35
PID 2556 wrote to memory of 2752	2556	IEXPLORE.EXE	35
PID 2556 wrote to memory of 2752	2556	IEXPLORE.EXE	35
PID 2556 wrote to memory of 2752	2556	IEXPLORE.EXE	35
PID 2556 wrote to memory of 2752	2556	IEXPLORE.EXE	35
PID 2556 wrote to memory of 2752	2556	IEXPLORE.EXE	35
PID 2556 wrote to memory of 2752	2556	IEXPLORE.EXE	35
PID 1928 wrote to memory of 2916	1928	IEXPLORE.EXE	36
PID 1928 wrote to memory of 2916	1928	IEXPLORE.EXE	36
PID 1928 wrote to memory of 2916	1928	IEXPLORE.EXE	36
PID 1928 wrote to memory of 2916	1928	IEXPLORE.EXE	36
PID 1928 wrote to memory of 2916	1928	IEXPLORE.EXE	36
PID 1928 wrote to memory of 2916	1928	IEXPLORE.EXE	36
PID 1928 wrote to memory of 2916	1928	IEXPLORE.EXE	36
PID 2932 wrote to memory of 2188	2932	Wscript.exe	37
PID 2932 wrote to memory of 2188	2932	Wscript.exe	37
PID 2932 wrote to memory of 2188	2932	Wscript.exe	37
PID 2932 wrote to memory of 2188	2932	Wscript.exe	37
PID 2932 wrote to memory of 2188	2932	Wscript.exe	37
PID 2932 wrote to memory of 2188	2932	Wscript.exe	37
PID 2932 wrote to memory of 2188	2932	Wscript.exe	37

C:\Users\Admin\AppData\Local\Temp\ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ead2b149fb67b84f592edbe2f2223d70_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.teaini.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.teaini.com
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2752
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://sadfsdafsadf.zaiqu.net:81/wangdaqing/none.htm?w02
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://sadfsdafsadf.zaiqu.net:81/wangdaqing/none.htm?w02
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2916
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft260046\b_2646.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\soft260046\300.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft260046\300.bat

Filesize
3KB

MD5
090844b5d0679dab8a272036f5fb6cdc

SHA1
9742dd9aa79e1fbdcae1e148663ec41c7af4642f

SHA256
2ef1983f6200ac47092f2d29040598fdb8401b3988891c70fe263dee968b1f6e

SHA512
3e6e1a3a2c55cca8e9e9a977de26ec63c5022f11665b17005bb653998eb1bfdae0e58ce6f71e4bd14f0026c35dcbda1eae59546689e6e98c27e3000c137292d0

Download Submit
C:\Program Files (x86)\soft260046\b_2646.vbs

Filesize
274B

MD5
abac4c2e81caa82722edd75b10dbca71

SHA1
78725bec6f88f88cbb9e51db82d1f2c837f782ad

SHA256
abbc5762a302bef8d686fd5e4d59f1961fa93d67234d750b8017a252e7d935b5

SHA512
3ab01b9fc5b7efd07e9cbd3b498a1aac00bca3c19a1b6cd52f921e7007a797ad3ae7db2fd157546ebd1acae16910a9104c4186322377b82008791bb70b736032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
377958af61fd46e5c10969240aa2e234

SHA1
1877cfcc4036b22233e98bd41b3b883dd1c4a03b

SHA256
dfda2de61aaa59308f6fbaaefa97ab553f89d56f46203dc8d262f884d9034238

SHA512
72d56f7fc447ae19732fd5eaa0a48805a235f58fa84948f49af125df5f2a75ef32ba1acb95bc2f7eba6f3aae9e2acc35bab88864fe72da6b0d4848312e5d7c35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45d4fbac7a7484bd4382a0b620e2bb7e

SHA1
eeed4a4b5cd768f8e2b799e1eff2e39eeec15413

SHA256
95041963f63c9d2e0c6597d1824818f690b89054022720f4010a8c2d86255110

SHA512
ab0bfec35fb592277180f5d7f323f0454c8d2031274b8efeba8148411ac1b7640f6be8bc76b641f985181c0c4ac327ecca61c11b780e022bb4d98ed8dc101ee8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44676b488e535052a668ce394727dd88

SHA1
159bd31b9472f3ce0df9a84e4df12d4bbb57da1e

SHA256
2c458d35cbd18905507643cfbaf0613b8f8a4f6db55416f4448468d240ff0e3f

SHA512
3acdbf5df2ee490a0cd16603138a46b2fd7d7890e65f784eb26e35bbfca2c40a235971272b2eb894501d75f7e406e1848544f2d371df763f21ce63fc97af3f3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b65ac846cec4226f2c426fac9df6c249

SHA1
8930957ba4f1704a63bcf18d7a3fb9a87193c6b3

SHA256
19f70a652cd5581e44f24c26df8405bdab1ab5aedff81cd537e6ddd35e091237

SHA512
69bdd22cf963eb45256c247f7d23cd9ed3d70e776cffb279433de9c48d289eb6569b6af58dbc5c1b5cb0fdaeaec2558cda1b5ea8e4f6851b48357500da2687e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
783bfd43ce868920715e4a61f7df7f11

SHA1
a0924884f7a60f338b96b1dc9b98a3b999f213c2

SHA256
51bc1d524bc9ced04d2d8750555dffa5e19736d27680d9290857d0381f7af5bf

SHA512
6b7bf8a0b3cabdef12c6110537ac3e1ca7a852c8c445eec78ab1befc1245c55840ba2c853039d10e8b6c844e965c43b8329c7b183615070855b76fa2f718a8a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17c8fd42ef92c99f3583fb4f334f57ed

SHA1
27dffe2378d0b5ca45c43ee57d404fe9fa2f4269

SHA256
239ca4ed00e46e86f3a7e650ed1fcfdb0f3c5b14b39f6b52be33dcb03306c789

SHA512
179651cd10895337238656f60c45e364b06ebad2e4cc85aa4e76b0d5070a035f46eb2baf83186bb007e20175061b798fccdf88ba24f2ff8693c4a7fd517de3fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
effe3296c33a7b05c9a6c1eac8752441

SHA1
f1a7e3fc04b7597bdbb9e68ed52528576dcccfd2

SHA256
e73e78027e69f11c27baeb3e245381be385c04c26a854053bc0977a42f6dee54

SHA512
5d0939e85e45969e2c09c5fba17ead0681d0f6d50f5f2e58c96e2dce32b979cff44307b3f22967252e75b2226d14b94a3cc163f52b2ab4847c6de9a911705748

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efbd32316ffb0109ddce28c280d718c7

SHA1
95985b867efdd56d7958e84c375d7bb146ace2f8

SHA256
8688b38337dedbb3885df08696348d0f55bf909f3a75b4d45fd55cf0e23da80f

SHA512
b9c99273de544fc05439814a3cc05e63314d1ee724f4006d30133d2569b226296c62f5a2e42bafff6e195dac392a1edf1fab6d680105e0a4b6742019daeb9c28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98e4815257874f88a94cd38b55299b58

SHA1
2f5c97e86d2cd318b958c9d72cebd75261a607f8

SHA256
898467cfcd5ea9a919749f7d5d0e95013f16b0dfa52a46abc596787c62dc4288

SHA512
dbe7c3a272af71a8dc80b9ae0a895e4a7b4c036398444e9f6ecade04858a0f9cb37caf37bd42d111b7ad465ecd7488c205417c6f1c22054e42b61f3e06f3375f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b26b26b0a831be0686190a3742b978d

SHA1
c5a9f2696b5dff770b42d7a61c7f687b343c5757

SHA256
cbbebfd8d66cd315f87cbb5d437b1298c1f15f232fcfaf92a3d9ff53ace53029

SHA512
dd9748b62adbb736f13643bd60eb3e81fb5e69b50c192aff95b0a920f45f35ee6deb5354bf223fdeddfe6e85092a4fe5d664dc8ef29870eb1dcdc5d7dd4c016c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e394da182aecd17cf9105de3e7f24316

SHA1
e36096fadddb05e82627035cadf32133ce0fed64

SHA256
b55dd4e2ef6023ffb9425983f6586bdbaab625c5b524122f0afb6813d0b608b6

SHA512
03e479c599e3ef6914df9798097730dd0b2db752047fdc8e83869705dd695af5b907703f7c6af9484f061014fb7f951f12ce244c81e87190d7add39352db78f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46f00e05dc93b82f40d6ac88123e2133

SHA1
1a76049aca4435aeabbc407694265d3cf9ec5652

SHA256
6ed876906b1b74a4585ef02ac74e8419396c4b72430069e2513e3907f87fc7fe

SHA512
e54524b4577d75c71517f3d84e166c4cd9b25978aba6d633dd64171852316b2f34935a04724036e2e1297fb8f2c87eb2c83ef249a2889627082d4c804fcac5a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99334cca75bfac06ecf2744001f9a5e9

SHA1
2aeaaeeb954b45d3806434d9dba0a9081c230e6e

SHA256
700b486e341455c0a33de55c27be7f74a24df4ad42362267412928cba59c6142

SHA512
4a001672c20a1de0b492cce9100ff6b32b031ebcb51bf0f4a8848230edf8429066a9d4430d958a526f1cea6af0a56376d87e44c364bc4f8d4c925ef79c95c8d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deb0ab2eb543d6b27f492fd226fe8d50

SHA1
cc0857725a306a37a26b4a37677ea30a78430247

SHA256
ab13109e04ae004d3db6b868da9296a203e2a4d7d28b60ddcc3474eefeb18efc

SHA512
1e30a593b6b434b5229c82aaa1deaa4fc021c45064deaab776b782c9d91433f887da142fc49844689ab30466c5bc4dbe56d5573f94b77921ad256f67e1cd1092

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6b84039c80f4986f99be8ad7698dd59

SHA1
3ebe2868b7f19db5b799c872d24347aa01326716

SHA256
bfdf36161134819742067b4cdc553e789b2e4ea796ea25646a8d419e2a6f5868

SHA512
acd325e7e471bb8b3fb6eef57e30259b06939479cc2854a1f6bbf5b3cc5d2a833d7926daa96e8934737a34770453db632e65a4a3288e12915f52260e9da096a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
912ef114add26367d912216361d9b38a

SHA1
d674a056c5febc02b46628d2bac6c21cb96cf887

SHA256
e5a62cf66d463fc83e6d588f1cf5ba17e492de687e299f6c9aa65b1acf5cc7c0

SHA512
2a93beb93a58a6d859f7172c27c3555242cd4e6ecd5ce59b4a0efff17dd3a7099bb977d9407db861ec9e9648d597d15ca2ae20101f95526d2516ed46531f999c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e2d374006bd1c2ddf86cab1595eb6ad

SHA1
dc41ce675b4839955c40850f3a5f70ab6f0a7df3

SHA256
c253ddc3aadab4a1e07e411978950e4b22120264948f7086c7b19c9c08ea563c

SHA512
d2f8b936cb72b5200f9faf1b50e02b5403fa5361934d6fc5b034685a5b2e97ddc19c0089dfc00d64e81200ec7d21429b8c7c47fe414f427c8ff5362536eff783

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a371decec95b2dcdf89f48f9bd20b4e8

SHA1
5b7654c7723c73e65758cbbb2a7a7b4ba18ccce0

SHA256
a1e39cdbfa3629c185a0f05b04e3b193d944d46f8a5635dfc599fc0e8dda6302

SHA512
0c2d89b91be41fe268c3b7610d706f3e92c910eedb657c4adf9c33a2566ef80659ecabcbe42260fe825a08a2d3a159c6627c94fc3e41dc10d0dac54053d70a40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
436458d3fa547591018dd72a77ada67f

SHA1
759e6b67a50492c22e6ff3632adfad942e0e84d4

SHA256
7e99414978c10617bbc6139f531ecf1252cd45342df425321ba721c74a87580f

SHA512
dd85cebe0d645785fe278442cdb8f6cadfc2bd7d22a03b5f256761d9b837a1b5339f7dee7ebee4483f5cf5a877e87691d12786f6883a1513d12f76c496e0c900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3c687f484d38993a0a387a87d08b0ec

SHA1
bbbf79de5a0e63ce99ca9bcd401fee5d338714b9

SHA256
65c47325c6afad49cd24ae92e556b0c822dea035dde0a59bd22e8514141cad7b

SHA512
3918980707c7929a9161d3181524075deb7c217865cd5897734c4c43ffd20e9375e616c85684b6b08d06e3a4d733b70d2da206a0159e6420dbd3f99c590f7daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5309D101-7656-11EF-B462-D60C98DC526F}.dat

Filesize
5KB

MD5
1a2e8cf000e6449c85f55b064524bee1

SHA1
1950c29267b61bc9b8badb67342415a469bb1824

SHA256
f6491c3350fdf29c3762d6c6b8f10945d67327f71266cc24e99286d70484b716

SHA512
9e81f753d21ca7bb50746f37d50c750780c073863666cae4c03620c8f04ef4029e99c7ef8370413173ab0c08697c054646d73f2ac31f149bce69d305281c709b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEC07.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEC87.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\jishu_260046\jishu_260046.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nsyCABF.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsyCABF.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit